Splunkers... I have dug thru the Answers Area for quite some time, and have not found what I am looking for. I am thinking that the solution would be in some form of transaction, but I am a bit of a neophyte with Splunk and am having difficulty developing a solution.

So.. I am hoping that y'all might be able to help me.

Problem: I have users who are likely sharing their VPN accounts to access my network. My assumption is that ANY user who is logged more than once over the same time period would be sharing accounts

I want to identify those users, and report who they are, how often the accounts are shared

My logging is from a Cisco VPN Concentrator and the logging looks like

Oct  8 15:30:19 XXX.XXX.com local0:notice 800067: 2010 Oct 08 15:28:56.460 EDT -4:00 %AUTH-5-28: RPT=138359: xxx.xxx.xxx.xxx: User [domain1\tannesh] Group [remotentusers] disconnected:  Session Type: IPSec/UDP  Duration: 0:00:50  Bytes xmt: 749392  Bytes rcv: 112960  Reason: User Requested


Oct  8 15:29:58 xxx.xxx.com local0:notice 800038: 2010 Oct 08 15:28:35.840 EDT -4:00 %IKE-5-52: RPT=139484: xxx.xxx.xxx.xxx: Group [remotentusers] User [domain1\tannesh] User (tannesh) authenticated.

My closest Failed Attempt looks like

eventtype="VPN LogData"| search authenticated OR disconnected |rex field=_raw "(^.*\sUser\s\[\w+\]\sUser\s\(\w+\)\s)(?<CMD>.*)(\..*$)" | rex field=_raw "(^.*\[remotentusers\]\s)(?<REZULT>.*)(Session\sType.*$)"  |rex field=_raw "(^.*Duration:\s)(?<DURA>.*)(\s+Bytes\sxmt:.*$)" |transaction DURA CMD maxpause=5m 

Thanks..